Interface Trust States and Network Security
406
G8264 Application Guide for ENOS 8.4
Drops invalid ARP packets and sends a syslog message with details about each
dropped packet.
DAI determines the validity of an ARP packet based on valid IP‐to‐MAC address
bindings stored in a trusted database, the DHCP snooping binding database. This
database is built by DHCP snooping if DHCP snooping is enabled on the VLANs
and on the switch. As shown in Figure
trusted interface, the switch forwards the packet without any checks. On untrusted
interfaces, the switch forwards the packet only if it is valid.
For hosts with statically configured IP addresses, static DHCP snooping binding
entries can be configured with a big lease time.
Figure 35. Dynamic ARP inspection at work
ARP
Packets
DAI associates a trust state with each interface on the switch.
In a typical network configuration, you configure all switch ports connected to host
ports as untrusted and configure all switch ports connected to switches as trusted.
With this configuration, all ARP packets entering the network from a given switch
bypass the security check.
The trust state configuration should be done carefully: configuring interfaces as
untrusted when they should be trusted can result in a loss of connectivity.
In Figure
36, assume that both Switch A and Switch B are running DAI on the
VLAN that includes Host 1 and Host 2. If Host 1 and Host 2 acquire their IP
addresses from the DHCP server connected to Switch A, only Switch A has the
DHCP IP‐to‐MAC binding of Host 1. Therefore, if the interface between Switch A
and Switch B is untrusted, the ARP packets from Host 1 are dropped by Switch B.
Connectivity between Host 1 and Host 2 is lost.
35, if the ARP packet is received on a
Valid
Packets
DAI
DHCP
Snooping/
Binding
DB
Invalid
Packet
ARP
Packets